Return-Path: Delivered-To: apmail-harmony-commits-archive@www.apache.org Received: (qmail 89366 invoked from network); 26 Jun 2009 10:51:19 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 26 Jun 2009 10:51:19 -0000 Received: (qmail 95105 invoked by uid 500); 26 Jun 2009 10:51:30 -0000 Delivered-To: apmail-harmony-commits-archive@harmony.apache.org Received: (qmail 95071 invoked by uid 500); 26 Jun 2009 10:51:30 -0000 Mailing-List: contact commits-help@harmony.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@harmony.apache.org Delivered-To: mailing list commits@harmony.apache.org Received: (qmail 95062 invoked by uid 99); 26 Jun 2009 10:51:30 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 26 Jun 2009 10:51:30 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 26 Jun 2009 10:51:27 +0000 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id B790D234C004 for ; Fri, 26 Jun 2009 03:51:07 -0700 (PDT) Message-ID: <1925421352.1246013467736.JavaMail.jira@brutus> Date: Fri, 26 Jun 2009 03:51:07 -0700 (PDT) From: "Tim Ellison (JIRA)" To: commits@harmony.apache.org Subject: [jira] Updated: (HARMONY-6248) Wildcard subjectAltName dNSName entries throw IOException In-Reply-To: <472801395.1245943927428.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/HARMONY-6248?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Tim Ellison updated HARMONY-6248: --------------------------------- Attachment: harmony-6248.patch Ian, I assume that the wildcard value only makes sense at the left hand side, and we would not allow a simple '*' as the full dns, i.e. it should only be allowed as a "*." name prefix? Please try this patch and see if it fixes the issue for you. > Wildcard subjectAltName dNSName entries throw IOException > --------------------------------------------------------- > > Key: HARMONY-6248 > URL: https://issues.apache.org/jira/browse/HARMONY-6248 > Project: Harmony > Issue Type: Bug > Components: Classlib > Reporter: Ian Payton > Attachments: harmony-6248.patch > > > Using the DRLCertFactory JCE provider, calling getSubjectAlternativeNames() on an X509Certificate throws IOException if the subjectAltName extension in the certificate contains a dNSName entry with a wildcard (such as "*.example.com"). > This is ultimately because GeneralName::checkDNS() does not allow wildcard entries. RFC3280 and RFC1034 both discuss wildcards, although a strict reading of RFC3280 would *appear* not to allow for them in a subjectAltName dNSName. However, RFC3280 explicitly allows for application-specific semantics of use of wildcards in subjectAltName. As the Harmony code currently stands, it is not possible for an application to even retrieve the subjectAltName values if they contain a dNSName that does not strictly conform to the "preferred name syntax" in RFC1034. So it is not possible for an application to make the decision on what semantics to apply to a wildcard value. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.